Search form

The EFF SSL Observatory

The EFF SSL Observatory

The EFF SSL Observatory is a project to investigate the certificates used to secure all of the sites encrypted with HTTPS on the Web. We have downloaded datasets of all of the publicly-visible SSL certificates on the IPv4 Internet, in order to search for vulnerabilities, document the practices of Certificate Authorities, and aid researchers interested the web's encryption infrastructure.

Please note that the data and code are not polished; patches and help are welcome. Questions can be asked on the project's mailing list or directed privately to <ssl-survey - at - eff.org>.

We are particularly concerned about the role and practices of Certificate Authorities (CAs), which are the organizations that can sign cryptographic certificates trusted by browsers. These certificates can contain statements like, "this public key belongs to EFF.org", "this public key belongs to yahoo.com, paypal.com and mozilla.com", or "this public key should be trusted to also act as a CA, signing certificates for other domains".

Browsers trust a very large number of these CAs, and unfortunately, the security of HTTPS is only as strong as the practices of the least trustworthy/competent CA. Before publishing this data, we attempted to notify administrators of all sites observed vulnerable to the Debian weak key bug; please let us know if your analysis reveals other classes of vulnerabilities so that we can notify affected parties.

The data presented here is derived only from observing publicly-accessible servers and could have been collected by anyone. Research for this project is a collaboration between EFF and Jesse Burns at iSEC Partners. Thanks to the NLnet Foundation and SingleHop for supporting this work.